Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I use the output from a previous search to use as a time range on my next search?

norbertkiammacl
Explorer
‎12-17-2015 04:34 AM

I have a filter that extracts the date and time just like below.

index=_server _raw="*completed*" | head 1 | eval end_time=strftime(max(_time), "%m/%d/%Y:%H:%M:%S")

But I would like to have another search that uses the date/time I got from the first search to my second search something like the below.

index=_server _raw="*completed*" | head 1 | eval end_time=strftime(max(_time), "%m/%d/%Y:%H:%M:%S") | append [search index=_server | where _time < end_time]
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎12-17-2015 08:42 AM

I can't test the following on a Splunk instance right now, but what about the other way around and using subsearches and "latest" instead:

index=_server  [ |search index=_server _raw="completed" | head 1 | rename _time as latest | return latest ]

View solution in original post

Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎12-17-2015 08:42 AM

I can't test the following on a Splunk instance right now, but what about the other way around and using subsearches and "latest" instead:

index=_server  [ |search index=_server _raw="completed" | head 1 | rename _time as latest | return latest ]
Reply
Solved! Jump to solution

norbertkiammacl
Explorer
‎12-19-2015 01:21 AM

Exactly what I need, 'return' is the key. Cheers!

0 Karma
Reply
Solved! Jump to solution

emaccaferri
Communicator
‎12-17-2015 06:53 AM

I think you could use your search that identifies the end_time as in this example http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchTutorial/Useasubsearch

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...